MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d34e796266410aff6fcad07b74545d3121bfc595cadef5370c01153b4dbf0047. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments 1

SHA256 hash:	d34e796266410aff6fcad07b74545d3121bfc595cadef5370c01153b4dbf0047
SHA3-384 hash:	5d519d319cf4c447b2269678732949798fd4eb3ae62e693a18d053ecec2fdece151557761ab946a6243d839a69041e84
SHA1 hash:	c9477fc460b0b44c63c2a5f83a178c398b6a36fd
MD5 hash:	59fb7442592a9c032fbabad5a797fbde
humanhash:	glucose-fanta-blue-music
File name:	59fb7442592a9c032fbabad5a797fbde
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	98'304 bytes
First seen:	2021-07-29 11:28:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	1536:XHB+zRmEOBCoUi6HW+iGXgktM20VbN8FAh8xx+Ombf9Bo3HHTPyHddoh30txbIjf:XwzRmEVoUxW+iGXNtM2EuA8x+b1UHHbL
Threatray	940 similar samples on MalwareBazaar
TLSH	T132A33C28A3AC9B25D2FD4B7566B001194FF0F18B6012EB4B4DC1BCDE2F66BC275195E2
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://secure.eicar.org/eicarcom2.zip

Verdict:

Malicious activity

Analysis date:

2021-07-29 11:47:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/72938824-d09b-4a3f-80ab-c470f20c510a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/174998/

Detection(s):

Win.Malware.Bulz-9880537-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c7501dc2-f1ed-48c6-9c02-83d9b047d728

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/823789

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Multi AV Scanner detection for submitted file

Potential time zone aware malware

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-19 12:49:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

35 of 46 (76.09%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2nhhsytgiefp636k2b5xivc5geq37rmvzlppknymaektwtn7abdq._file

Verdict:

malicious

RedLineStealer

0a57da60edb393260bde08820ab954d33416b778abf9f2a36627e321079afe2e

RedLineStealer

2ab38fdbe562dd5a6be9651562e1523dbf7f3fd7d720d57bc9a25b0e2b665640

RedLineStealer

3eed2868066aee69ca5877fac912a67692f01b2cb2b45a71e9d15f67c1a51a47

RedLineStealer

53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9

RedLineStealer

8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

RedLineStealer

a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe

RedLineStealer

b06a04969f5856d665a1e837f7aed8b1adfca9e44d06e7d5100b8c3adac4df79

RedLineStealer

b5736b6878b89a101d24407f6b25773e4c30755841e6256eae33771192d667e3

RedLineStealer

d4318bfc9c962824b9254a8eecaa7f30c5e6cc3a209a6d8ef84395aeab2403b7

RedLineStealer

+ 930 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@bbakoch

Link:

https://tria.ge/reports/210729-wd5c37zj66/

Behaviour

Suspicious use of AdjustPrivilegeToken

Malware Config

C2 Extraction:

185.186.142.55:10425

Unpacked files

SH256 hash:

d34e796266410aff6fcad07b74545d3121bfc595cadef5370c01153b4dbf0047

MD5 hash:

59fb7442592a9c032fbabad5a797fbde

SHA1 hash:

c9477fc460b0b44c63c2a5f83a178c398b6a36fd

Link:

https://www.unpac.me/results/8dce0b16-d8e2-4961-bbae-059f629aecbe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/d34e796266410aff6fcad07b74545d3121bfc595cadef5370c01153b4dbf0047

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)